P2P-Worm.Win32.Scranor

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:

• file viruses
• boot sector viruses
• macro viruses
• script viruses

Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: P2P-Worm

P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster, EDonkey, FastTrack, Gnutella, etc.). Most of these worms work in a relative simple way: in order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory, which is usually on a local machine. The P2P network does the rest: when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer. There are also more complex P2P-Worms that imitate the network protocol of a specific file sharing system and responds positively to search queries; a copy of the P2P-Worm is offered as a match.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This worm spreads via the Kazaa and iMesh file-sharing networks, and also via IRC.

The worm itself is a Windows PE EXE file, approximately 12KB in size.

Installation

Once launched, the worm creates a folder called "Sys32i" in the Program Files directory, and copies itself to this file as "Scran.exe".

This file is registered in the system registry as a key to enable autorun:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
  W32.Scran = %ProgramDir%sys32iScran.exe

This ensures that the worm will be launched each time the system is rebooted.

The worm creates several more copies of itself under the following names:

Age of Empires crack.exe 
Age of Empires.exe
CD Key.exe 
Counter Strike 6.exe
Counter Strike.exe
Grand Theft Auto 3 CD2 ISO.exe
Half-Life.exe
Hotmail account cracker.exe
Hotmail Hack.exe
KeyGen.exe
Microsoft Office.exe
Norton Anti Virus 2004.exe
Norton Anti Virus 2005.exe
Norton Anti Virus Crack.exe
Norton Firewall.exe 
Norton Internet Security 2004.exe
Partition Magic 8.exe
Playstation 2.exe
Resident Evil.exe
Scran.cpl
Tomb Raider.exe
Trojan Remover.exe
Windows XP Home.exe
Yahoo Hack.exe
ZoneAlarm Firewall Pro.exe

This folder will be shown in the system registry as Local Content for Kazaa and iMesh:

[HKCUSoftwareKazaaLocalContent]
[HKCUSoftwareKazaaTransfer]
  "dir0" = "012345:%ProgramDir%sys32i"
[HKCUSoftwareiMeshClientLocalContent]
  "dir0" = "012345:%ProgramDir%sys32i"

These files will then be accessible to other users of the P2P networks.

The worm creates an identifier "W32.Scran-Worm" to flag its presence in the system.

Propagation via IRC

The worm searches the victim machine for an IRC client. If it detects one, it will change the contents of the "script.ini" file so that the worm will be passed to all users who enter IRC channels used by the infected machine.

Other

The worm will download a file named "botnet.jpg" from http://www.freewebs.com. This file will be saved in the C: root directory as "botnet.exe". This file contains the latest version of Backdoor.Win32.Rbot.gen.

On the 1st January, the worm will cause a dialogue box containing the following text to be displayed on the screen:

Ha?
Happy New Year W32.Scran!!

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com